IEX Bolsters Information Security With Top Hire From BlackRock

Benjamin Smith joined IEX as the private trading venue's head of information security last week. In a Q&A, Smith discusses his new role, Regulation SCI, and what exchanges and ATSs can do to combat hackers in 2015.

IEX Group, the fast-growing private trading venue, has hired Benjamin A. Smith as director of information security to bolster its security as it prepares to become a full-fledged US stock exchange.

Benjamin Smith, IEX Group

Smith was previously director of information security at BlackRock, the world's largest money manager, with $4 trillion in assets under management. He joined BlackRock in 2007, becoming its first chief information security officer, after handling security for the foreign exchange trading venue FXall, according to his LinkedIn profile. He has 19 years of information security experience, including management of multiple global teams and a broad technology background.

Wall Street & Technology editor at large Ivy Schmerken conducted a Q&A with Smith about his new role, the need for compliance with Regulation SCI, and what the threat landscape means for financial services in 2015.

What are your top three priorities in joining IEX, a dark pool that is applying to become an exchange? Do you have any ideas on what changes you will be making? When joining any firm, one needs to understand the existing environment, risks, and business decisions that were made to bring the company to where it is today. My first priorities will be:

Review policies, procedures, and controls that comprise the information security program to understand the maturity of the program

Review the infrastructure and major applications to get a context of how the information security program integrates with the business requirements and the complexities of that integration.

Make suggestions to enhance the program based on what I find.

As for specific changes, I am at the end of my first week and still drinking from the proverbial fire hose to learn about this environment. It would be a little premature to start talking about changes at this time, but it has been refreshing to be a part of a market center built within the last two years. Starting with a blank sheet of paper has many advantages.

How is managing information security of an exchange going to be different from safeguarding an asset management firm? The size of the company changes the context of managing information security. My former employer was a company with thousands of employees from around the world, while IEX is a small startup with about 50 employees, all located in the same building. Given IEX's size, I can go directly to the stakeholders, and we can directly effect change -- which makes the process a lot more fluid and effective.

Asset managers, especially those that are largely institutional, managing substantial AUM, rank fairly low on the risk spectrum as assets are tightly held and more concentrated, whereas exchanges operate at the nexus of the markets and have relationships with a diverse set of market participants and so are at the other end of the risk spectrum.

I expect being the information security engineer of IEX to be very intense with more potential threat actors than I saw at BlackRock.

Given that BlackRock is the world's largest asset manager, what lessons are you bringing from that experience? Information security is a constantly evolving field. Twenty years ago, one could deploy anti-virus software and a firewall, and that would be sufficient. Today there are dozens of technologies that each comprise part of an information security program. It is also a field that includes information sharing amongst firms that normally compete as businesses but are all on the same team when it comes to protecting our firms against security threats. In my time at BlackRock, I forged relationships with the CISOs at other financial firms and their teams. We used industry associations like FS-ISAC to trade tactical information about current attacks and threat actors. I will leverage these relationships to enhance the program at IEX.

At BlackRock, I managed a global team using a variety of existing and emerging products, building a comprehensive set of practices. Some products were better than other products. I will leverage that experience to bring best-of-breed products to IEX to ensure that our information security program is world class.

The SEC approved Regulation SCI to protect critical market systems, including exchanges, certain alternative trading systems, plan processors, and clearing agencies. What steps will you take at IEX to ensure compliance with this new regulation? Do you think that Reg SCI will help prevent cyberattacks? Much of Reg SCI is standard information security best practices. One should have effective information security policies and procedures based on a commonly accepted framework. One should conduct risk assessments. One should detect security events and respond to them, and one should have disaster recovery plans and test those plans. Generally every financial firm has these items in place today. Reg SCI couples these components with an SEC reporting requirement for security events and material system changes, along with industrywide disaster recovery testing. Much of the compliance with Reg SCI will be in establishing submission of these reports to the SEC, as well as an initial overview of policies with the SEC.

None of these regulations will prevent cyberattacks. Attacks come every day. Complying with the regulation will decrease the effectiveness of attacks. Reg SCI will identify those firms which do not have robust information security programs and force them to improve. For the firms that have strong information security programs today, Reg SCI will likely drive increased budget and headcount into the information security department to handle the reporting requirements. For firms with limited budgets, Reg SCI will divert existing funds away from current programs, potentially weakening the existing program.

With recent cyberattacks on JP Morgan and threats or attempts made on other financial institutions, do you think that exchanges and other execution venues should be doing more to protect against potential security breaches? We frequently hear news of cyberattacks in the press. However, those are just the tip of the iceberg as many do not make the press cycle. Attacks happen 24 hours a day, seven days a week; 99.9% of them are blocked by technology, practices, and controls. Some are the equivalent of checking to see if a door is locked. Some attack everyone on the Internet to exploit an unlucky few. Others are very tightly targeted at specific firms or individuals. Information security teams review all of these events and react to eradicate the ones that are successful. Every firm wants to bring in more technology, processes, and people to block more attacks and speed up the detection of ones in progress. Budget realities mean that each business needs to balance what they have today and what they want for tomorrow against the risk and what they can afford.

Exchanges and ATSs are at the heart of the capital markets, and obviously, they take security very seriously. What are your predictions for 2015? Will we see more vigilance -- more coordinated testing? In 2015, more firms will be hacked. Security patches to fix operating systems, common use applications, and programming languages will be issued. A few of these vulnerabilities will surprise the experts. Firms will work hard to quickly deploy those patches. New technologies will emerge to detect and interdict the black hats. Firms will deploy those technologies, and the black hats will work out techniques to get around those protections. In information security, there are no silver bullets. It is a field that evolves every year, and each firm improves its program every year.

In 2015, we will see more intelligence sharing among firms, and firms will automate the consumption of that data. In recent years, there have been a number of joint information security exercises with multiple firms. As an example, SIFMA has held annual exercises in spring 2014 with 50+ firms taking part. Most firms conduct their own internal table-top exercises. I expect these exercises to continue.

Ivy is Editor-at-Large for Advanced Trading and Wall Street & Technology. Ivy is responsible for writing in-depth feature articles, daily blogs and news articles with a focus on automated trading in the capital markets. As an industry expert, Ivy has reported on a myriad ... View Full Bio

Jack, these are all important steps for companies to take. I think the emphasis you are placing on training employees on cyber security is very important since many breaches occur because employees inadventently click on malware. But, as IEX's Ben Smith points out, new technologies are also going to be needed to stop the hackers from permeating networks and firewalls. But as we saw with Morgan Stanley's data breach, inside threats are also part of the problem.

This is just the beginning of many notable hires that will start occuring in the world of information security as businesses finally get serious about today's growing cyber security threats. Breaches will continue to happen so long as companies are lax about information security, and that's unfortunate. What's needed for helping ensure the safety and security of one's I.T. environment are the following three (3) mandates: (1). Well-written information security policies and procedures – those that are actually followed! (2). Annual security awareness training for employees – structured training protocol that effectively discussed leading I.T. security threats and challenges, along with best practices. (3). Proper provisioning and hardening of information systems – such as removing default accounts an insecure and unnecessary services and protocols. The very best defense any company can have for ensuring the safety and security of organizational assets are employees who actually care about the organization and are highly trained in regards to identifying threats or concerns to the company as a whole.